search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.15k stars 13.97k forks source link

Systemd BSOD QR Payload #18608

Open sempervictus opened 11 months ago

sempervictus commented 11 months ago

Summary

Apparently the brilliant folks over at systemd decided to place opaque QR codes in "scary full screen error messages" which sysadmins will need to use to get more information on the crash: https://www.phoronix.com/news/systemd-255... Obviously we want to use that QR code to pivot from the system we "crash" into the phone of the sysadmin as that's where MFA prompts are usually resolved and it likely has network adjacency to "other fun things" as well as storage of/access to valuable data.

Suggest a post/exploit module to synthesize a crash inserting our own QR code into the output as a lure for hapless victims to scan into their device.

Basic example

  1. Gain foothold on linux host with systemd 255+
  2. Gain privileges sufficient to cause a BSOD (preferably without actually breaking things) and intermediation of or substitution for the QR code/input data to its generation.
  3. Cause the crash, hijackiing the QR contents to point to our exploit service
  4. Start handler, wait for victim, browser autopwn the phone

Motivation

Why are we doing this? What use cases does it support? What is the expected outcome?

sempervictus commented 11 months ago

Should look something like: image :wink:

Something like a browser autopwn which detects the UA and provides a payload embedded in an app or serves an actual exploit listening on the Framework side should let us "pivot over network-less space"

Edit: for testing, install an up to date Arch Linux; run /usr/lib/systemd/systemd-bsod -c and sudo systemd-cat -p emerg echo 'target.url' in another term (or run systemd-bsod as a service).

namgo commented 11 months ago

Hey all, I'm just following up on this issue with a question:

All that's really required to make this work as I understand is: "systemctl start systemd-bsod && systemd-cat -p emerg echo '#{msg}'"

This seems like a silly payload since the user has to set up their own browser_autopwn(2) auxiliary separately. Is there a common pattern you have for payloads that depend on your auxiliary services?

I apologize if there's a common pattern I'm missing, I'm not a security professional I just saw this and thought it would be fun to add.

Edit: While looking at systemd-bsod's source (https://github.com/systemd/systemd/blob/ae3fb96d1f686f521e0eb94aa9f3446a5448e2d6/src/journal/bsod.c), I thought it might be possible to write a payload that provides a message separately from the QR code, but this would have to be written in something other than shell commands. You'd be hijacking the QR code "pattern" without calling systemd-bsod directly; is this useful or does it fall outside of the scope of this ticket?

sempervictus commented 10 months ago

I'm thinking something a bit more latent which uses this as a delivery vector, but in principle - yes. The point here being to generate a QR code run by the phone of the poor engineer 'responding' to the mess we've created. Its part social engineering, part technical vectorization. Whole thing just strikes me as so stupid that it merits a PoC as a cautionary tale. Will get to it at some point.